Cloud Tech Poses Problems For Lawyers | E-discovery lost in brave new world

by Matthew L. Brown

The term "cloud computing" may sound space age, but it's presenting some unique challenges for attorneys and their clients when it comes to the discovery process.

Although cloud computing covers a range of services from IT to software, its common thread is that all those services are provided by third parties that require customers to trust them with all manner of data.

"On one hand, it's very efficient for users because the company essentially rents space on a host system," said James Donnelly, an attorney at Worcester firm Mirick O'Connell and a member of the Massachusetts Bar Association's technology task force.

On the other hand, he said, the company "doesn't own the host system, and it could be located anywhere in the world."

Companies store data off-site in hard copy files all the time. Cloud computing is basically the same practice, but different in that a company's proprietary information is on some (probably shared) server that is not under the company's control and could be anywhere in the world.

"If a company is contracting with a (cloud) service company in Shrewsbury, it's a simple matter," Donnelly said. "But the mainstream is globalized" and companies tend to store their data where they can get the best rates, and often that's in China or India.

As it does in many other aspects of business, failing to prepare for the worst can and will hurt a company that doesn't carefully consider exactly how it wants to use a cloud system.

The discovery process is as old as the law itself.

When a company gets sued, it must provide any information that may be related to the case at hand. The e-discovery process is the same, but instead of digging through filing cabinets, the lawyers are scouring the company's computer files.

But lawyers say there are gaps between the rules presumed to govern the possession, custody and control of information and a company's practical ability to control the cloud systems with which they contract.

Be Prepared

"In e-discovery, it might be necessary to take immediate preservation action, which is simple if you own the servers but may be difficult to contract for when the service is outsourced," said Steven J. O'Neill, partner at the Worcester law firm of Bowditch & Dewey and founder of the firm's eDiscovery and Document Retention Policy practice. "Existing law governing discovery and investigations covers data that resides in the cloud. The rub is that few lawyers seem to know how to ask for it and how to go after it," O'Neill said.

Businesses, intentionally or not, also tend to leave preparation for being sued off the agenda. That, combined with outsourcing data storage without a specific RFP or insisting upon contract language that ensures data preservation or the right to control documents, is code for trouble.

"Most companies do not foresee that they're going to be involved in a lawsuit," Donnelly said. "If they do get into a lawsuit, it's easy to be in a situation where the host company doesn't have the ability to help the customer fulfill its discovery obligation."

That's a problem with the extent to which information is stored and retained by a particular cloud system. Donnelly said in some cloud systems, information is not stored or retained for very long. One of the most easily overlooked types of information is email.

"Most systems do not retain e-mail very long. It varies, but in one case recently, the host only stored e-mail for a couple of days. In that case, we were lucky. People were using laptops that did retain (the e-mails) and we were able to dodge the bullet."

What lawyers are looking for during the discovery process is anything relevant to the case: typed documents, memos, financial information and records, computer algorithms, technical drawings, it could be almost anything.

Often, e-discovery requests will include requests for meta-data so lawyers can view all versions of a document in question.

No Rights

It all gets tricky in the cloud. Lawyers argue that keeping data on a third party's servers should not entitle a company to narrow its e-discovery obligation. More and more, companies and their lawyers are hiring consultants, expensive consultants, to do the searching and the number of consultants that do this type of thing "is growing exponentially," Donnelly said.

John Tessel, chief technology officer of Computer Investigative Associates, is one such consultant. CIA has a Worcester office and concentrates on data security, but also performs discovery searches for companies and lawyers.

"A lot of agreements really don't have any way to bless the people you're leaving your data with," he said. Not to mention, identifying where data actually is can present jurisdictional problems.

Once the data's whereabouts is ascertained, Tessel said it's not uncommon for an out-of-state cloud company to respond, "Massachusetts court has no right to order us to release anything," especially when the data of several different clients is stored on one machine.

"There's no segregation of data. Your data is on the same machine with 20 other people and you have to image the whole drive, including everybody else's data. Can they turn that over to me?" Tessel said. "That could make for a really ugly discovery."

However, to apply a software industry buzzword, there are "solutions." Tessel said companies should carefully consider what data they want to retain.

A lot of data, emails for example, don't really have to be saved. "You have to ask yourself, 'why do I need this stuff,'" he said. If you can't come up with a satisfactory answer, get rid of it.